Recently, two new security weaknesses have been discovered in several electric vehicle (EV) charging systems. These weaknesses have raised concerns as they could be exploited by malicious actors to remotely shut down charging stations.
Furthermore, the weaknesses could expose the charging systems to data and energy theft, which could have serious consequences for both the EV owners and the charging station operators.
This discovery highlights the need for the EV charging industry to prioritize cybersecurity and to ensure that their systems are designed and implemented with security in mind.
There are several charging stations are involved in this security incident along the M11 motorway in Russia, which connects Moscow and Saint Petersburg. These charging stations have been hacked, and as a result, they have started displaying pro-Ukrainian messages.
While this hack has not only confused drivers but has also raised concerns about the security of these charging systems and the potential for similar incidents in the future.
EV Charge Points Hijack
Two vulnerabilities in the OCPP standard can be exploited by the attack method.
- Mishandling of Multiple Chargers’ Connections
In the field of electric vehicle charging, the Open Charge Point Protocol (OCPP), a type of standard protocol used in the industry of electric vehicle charging, has a potential vulnerability to exploit.
OCPP does not specify how a charging point (CP) should behave when it accepts a new connection while the original connection is still active.
Charge Points must be connected to a Central System Management Service (CSMS) to perform various functions, including charging authorization, payments, discounts, and billing reports.
- Weak Authentication Policy in the OCPP Standard
In accordance with the specifications of the OCPP protocol standard, version 1.6J, CPS can be authenticated by the CSMS account provider by utilizing one of three authentication methods: either the identity of the CP alone, the identity and credentials of the CP, or the client certificate and identity of the CP.
Emerging standards
The National Highway Traffic Safety Administration (NHTSA) in the US offers guidelines for software security for car manufacturers, but no mandatory regulations must be followed.
All home electric vehicle (EV) charging stations must meet authentication and data encryption requirements. Additionally, these charging stations must allow EV owners to erase their personal information and have the capability for regular security update checks.
Recommendations
Due to the fact that we are describing two different vulnerabilities, we should implement mitigations according to each of them.
- Mishandling of multiple CP connections
In the event that a Charging Station Management System (CSMS) receives multiple connections from a single Charging Point (CP), the CSMS is responsible for managing both connections until it determines which one is the legitimate and accurate connection.
This can be done by sending a WebSocket ping or an OCPP heartbeat request. If one of the connections fails to respond, the CSMS should disconnect it.
- Weak authentication policy in the OCPP standard
The Charging Point Operator (CPO) should implement stronger security measures, such as basic authentication, by creating a custom password instead of using the default factory password if one is provided.
However, in the future, the OCPP 2.0.1 standard and its security extension will mandate minimum security requirements for charging Points, which may include credentials, making the aforementioned recommendation potentially obsolete.
The OCPP 2.0.1 standard improves the security of charging points by mandating the use of credentials, effectively closing a security vulnerability. To address the situation of multiple connections from a single Charging Point, it is necessary to validate the connections through the use of a ping or heartbeat request.
Network Security Checklist – Download Free E-Book